Configuring, Using, and Auditing VM Service Accounts and Scopes in Google Cloud
Configuring, Using, and Auditing VM Service Accounts and Scopes in Google Cloud
Introduction
In today's cloud-centric world, managing access to resources securely is paramount. Google Cloud Platform (GCP) offers a robust solution through service accounts, which are special types of Google accounts that grant permissions to virtual machines (VMs) rather than end users. This project walks you through the process of configuring, using, and auditing VM service accounts and scopes in GCP. By the end of this project, you will have a solid understanding of how to create and manage service accounts, associate them with VMs, and use them to access Google Cloud services like BigQuery.
Project Objectives
Create and Manage Service Accounts: Learn how to create service accounts and assign appropriate roles to them.
Associate Service Accounts with VMs: Understand how to link service accounts to VM instances for secure access to GCP services.
Access BigQuery from a Service Account: Use client libraries to run queries on BigQuery public datasets from a Compute Engine instance.
Audit and Monitor Service Account Usage: Ensure that service accounts are used securely and in compliance with your organization's policies.
Step-by-Step Guide
1. Creating a Service Account
Step 1: Sign in to the Google Cloud Console using your credentials.
Step 2: Open Cloud Shell by clicking the "Open Cloud Shell" button on the top right toolbar.
Step 3: Run the following command to create a service account:
gcloud iam service-accounts create my-sa-123 --display-name "my service account"Step 4: Grant roles to the service account using the following command:
gcloud projects add-iam-policy-binding ${DEVSHELL_PROJECT_ID} \ --member serviceAccount:my-sa-123@${DEVSHELL_PROJECT_ID}.iam.gserviceaccount.com \ --role roles/editor
2. Creating a VM Instance and Associating a Service Account
Step 1: In the Cloud Console, navigate to Compute Engine > VM Instances.
Step 2: Create a new VM instance named
bigquery-instance.Step 3: SSH into the VM instance by clicking the SSH button.
Step 4: Install necessary dependencies by running the following commands:
sudo apt-get update -y sudo apt-get install -y git python3-pip sudo pip3 install six==1.13.0 sudo pip3 install --upgrade pip sudo pip3 install --upgrade google-cloud-bigquery sudo pip3 install pandas
3. Accessing BigQuery from a Service Account
Step 1: Create a new service account in the Cloud Console with the name
bigquery-qwiklab.Step 2: Grant the service account the following roles:
BigQuery Data Viewer: Access to view datasets and their contents.
BigQuery User: Access to run queries, create datasets, and list tables.
Step 3: Use the
echocommand to create a Python script (query.py) that will run a query on a BigQuery public dataset:from google.auth import compute_engine from google.cloud import bigquery credentials = compute_engine.Credentials( service_account_email='YOUR_SERVICE_ACCOUNT' ) query = ''' SELECT year, COUNT(1) as num_babies FROM publicdata.samples.natality WHERE year > 2000 GROUP BY year ''' client = bigquery.Client( project='YOUR_PROJECT_ID', credentials=credentials ) print(client.query(query).to_dataframe())
Step 4: Replace
YOUR_PROJECT_IDandYOUR_SERVICE_ACCOUNTwith your actual project ID and service account email using thesedcommand:sed -i "s/YOUR_PROJECT_ID/$(gcloud config get-value project)/g" query.py sed -i "s/YOUR_SERVICE_ACCOUNT/bigquery-qwiklab@$(gcloud config get-value project).iam.gserviceaccount.com/g" query.py
Step 5: Run the script to execute the query and display the results.
4. Auditing Service Account Usage
Step 1: Use Google Cloud's IAM & Admin section to monitor and audit the usage of service accounts.
Step 2: Check the Activity logs to ensure that the service account is being used as intended and that there are no unauthorized access attempts.
Step 3: Set up alerts for any unusual activity related to the service account.
Conclusion
In this project, we successfully:
Created and managed service accounts in Google Cloud.
Associated a service account with a VM instance.
Used client libraries to access BigQuery from a service account.
Ran a query on a BigQuery public dataset from a Compute Engine instance.
By following these steps, you can ensure that your Google Cloud resources are accessed securely and efficiently using service accounts. This project is a great addition to your personal blog, as it provides a hands-on guide for anyone looking to enhance their cloud security practices.